Moments before the Senate vote on a potential railroad strike, Sen. Mark Warner, D-Va., sat down with former acting FDA director for medical device cybersecurity Kevin Fu to talk another pressing issue: getting the support the healthcare sector needed on cybersecurity.
At the center of the discussion, of course, were Warner’s recent policy options on cybersecurity as a patient safety issue. As SC Media previously reported, the white paper was heralded as a “hallelujah moment” among industry leaders who have long sought the recommendations described by Warner and his team.
In particular, a Meaningful Use-inspired incentive program to drive cybersecurity adoption has received overwhelming support.
“This is really just a starting point on an issue that is growing exponentially in importance,” Warner said during the webcast from the Archimedes Center for Healthcare and Medical Device Safety at the University. of Michigan on Thursday.
The discussion provided insight into where Warner sees the greatest challenges facing health care — and where he needs more insider information.
“With every advanced technology there is a deep, dark underbelly,” Warner said. It is possible that foreign adversaries will take advantage of the intrusion into key systems to steal incredible amounts of personal information. This has already been seen with the extraordinary number of ransomware attacks.
“The most actionable component of our entire operating universe at this point is really the healthcare sector,” Warner said. “If you’re just a simple, ex-ransomware criminal, your ability to break into a healthcare system and steal this kind of personal information pays exponentially more on the black market than breaking into finance or breaking into in a series of others.
The 3 Biggest Healthcare Cybersecurity Challenges
One of the challenges is the sheer complexity of the make-up of federal agencies, which is “a total hodgepodge.” The white paper attempted a flowchart of the many different agencies and entities that affect healthcare and its cybersecurity. As Warner said, “It’s bureaucracy on steroids. It is well intentioned, but without a clear line of control or authority.
But perhaps a bigger hurdle is the serious mindset shift that needs to happen “that says cybersecurity needs to be integrated into healthcare early on,” instead of the bolt-on way that is so common in the industry.
For the incentives to work, this “has to fundamentally change”, he explained.
The final element is the huge labor problem. As noted in the initial draft, Warner’s proposal includes ideas for how to address cybersecurity labor shortages faced by all sectors, including healthcare. It’s more than money: healthcare also needs training and retention support.
Warner thinks it will take “a mix that goes beyond traditional incentives” to meet the “enormous challenge”. For example, loan repayment or loan forgiveness to undertake cybersecurity programs or train employees, as a way for small rural providers or physician groups to be clawed back for recruitment efforts.
“Across the spectrum of the cybersecurity workforce, we need to recognize that not everyone will need a computer science degree,” Warner said. In all sectors, there must be non-traditional pathways that can even rely on less formal education.
Many educational institutions have created incentives of some sort, but there is still a long way to go. Warner hopes the comments can provide other ideas on how to structure training, credential requirements, or other methods to entice people into this field.
For health care, recruiting new recruits is particularly difficult because salaries are often lower than in other sectors. Warner is “seeking all the help” it can get to generate new ideas on how to make improvements to these challenges.
Progress is underway, but not in the short term
In short, there is an opportunity in Congress to make real change and has already made incremental progress after the Colonial Pipeline and SolarWinds hacks. Bipartisan legislation that will require breached organizations to notify the Cybersecurity and Infrastructure Security Agency will come into effect in three years.
“Before that, and disproportionately in healthcare,” hospital entities were hacked and “they didn’t tell anyone,” Warner explained. “They didn’t want to suffer public embarrassment.”
But CISA is not meant to be a regulatory agency: the hope is that the agency will be the place where victims and entities “feel they can share this information on a regular basis.”
This progress is only a starting point for what is to come, despite some minor setbacks. Referencing the failure to pass the PATCH Act, Warner noted that the proposed cybersecurity requirements for manufacturers outlined in the bill remain “on the radar screen.”
What is more important, however, is whether they can create a “systemic structure to look at some kind of global oversight” or if the industry continues in its current state with voluntary steps to receive FDA approval. .
The requirement to include a software BOM with every device is also a “really important component”. When drafting these bills, they failed to realize “there are no minimum standards for IoT devices.” Warner said he discovered that even high-end IoT device makers “didn’t want to spend a few extra pennies building this into your security.”
With “literally billions and billions of IoT devices”, Congress is aware of the need to build in security requirements, at least make things patchable, or prohibit the insertion of code that can never be modified. The SBOM is an important element, and Warner hopes there will be a package in the future with some of the crucial elements of the Patch Act.
But like most healthcare providers, Warner isn’t sure he’s found “the right answer yet on what to do with particularly old medical devices.” Legacy devices are a persistent and yet to be resolved challenge in healthcare, with lingering questions about whether to secure a vulnerable 10-year-old MRI with 20 years of use remaining.
“I don’t know how we can do it right,” he added.
Industry comments were due in Warner’s office on Dec. 1, but the senator noted that his office has extended the deadline and is still accepting comments on these key issues.
#Cybersecurity #healthcare #takes #exponential #importance #senator